Organizations should develop a comprehensive strategy for managing third-party security risks and avoid over-reliance on any one tool, such as vendor security risk assessment, monitoring or ratings services, says analyst Jie Zhang of Gartner.

Risk management professionals should use security risk resources carefully "and you should really have your own strategy in terms of third-party risk," she says in an interview with Information Security Media Group.

"For any organization today, third-party risk is a very messy area. That's because there is no [dedicated] third-party risk organization in general, within most organizations," she notes. "The risk ownership or accountability is being shared among multiple functional areas within the organization."

Too many organizations lack a centralized way of evaluating their vendors, she notes. "So these third parties are coming to the organization from different angles. There is no central role or program that is designed to go through all these third parties from an intake process," she says.

Organizations that use the services of hundreds or thousands of third parties "have to think about a governance perspective," she says.

For instance, these organizations need to decide whether a committee should be formed, "or a central role that would own the program - but not necessarily all the risks," she says. That entity should work with domain stakeholders within the organization "and come up with consistently followed common-ground assessment, workflow, methodologies and even terminology in how you describe risk and triage ... and treat risks," she says.

That approach makes more sense than taking a "piecemeal" approach "or thinking a particular rating service would solve all the problems," she adds.

In the interview (see audio link below photo), Zhang also discusses:

Caveats about over-reliance on vendor security risk rating services;

How to deal with the evolving "digital supply chain phenomenon";

How third-party security risk management varies in healthcare, financial services and other sectors;

Predictions about vendor security risk management trends in 2020.

Zhang is a senior director analyst at Gartner responsible for covering risk and security management programs. Her areas of specialty include enterprise legal management, integrated risk management and digital innovation. She has 23 years of professional experience in a variety of teaching, advisory and IT-related roles.